WordPress Security Updates: April 2020

These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user.

We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion.

WordPress Core

Two XSS (Cross Site Scripting) vulnerabilities fixed in WordPress customizer

XSS in wp-object-cache

XSS in file upload process

XSS in search block

Password reset tokens not being invalidated

Plugin/Theme Vulnerabilities of Note

WordPress website owners who have the following plugins installed are strongly encouraged to remove them or find a replacement as soon as possible. These plugins were removed from the WP.org or CodeCanyon plugin repositories due to inaction of the developer to patch one or more security flaws:

art-picture-gallery

bsi-hotel-pro

car

catch-breadcrumb

contact-form-7-datepicker

poll-wp

support-ticket-system-by-phoeniixx

widget-settings-importexport

wp-advanced-search

wp-post-page-clone

wp-gdpr-core

The following plugins had high severity vulnerabilities addressed in April:

Simple File List

This plugin has a low install count of 4,000+ but has a high-risk arbitrary file upload vulnerability in versions lower than 4.2.3 which can lead to remote code execution. The vulnerability allows an unauthenticated user to upload an image file with PHP code in it, then make a second request to rename the image file’s extension .php, making it executable via the web.

Media Library Assistant

With over 60,000+ installs, the Media Library Assistant plugin had an authenticated remote code execution vulnerability that was fixed in version 2.82.

LearnDash

The LearnDASH premium plugin (sfwd-lms) is vulnerable to a remote unauthenticated SQL injection vulnerability. This could allow attackers to manipulate the database on the hosted website. It is strongly recommended site owners ensure their sfwd-lms plugin is updated to version 3.1.6 or higher, this must be done manually as it is a premium plugin and may require re-purchase to receive this patch.

Tickera WordPress Event Ticketing

Site owners using the Tickera WordPress Event Ticketing plugin should update immediately to version 3.4.6.9 or higher. There exists a public exploit that shows attackers how they can download a PDF which includes information on all registered attendees for an even. This poses a high risk for site owners who are concerned about protecting private data.

LifterLMS

LifterLMS versions before 3.37.15 did not properly check file type or paths when updating files on the webserver, which could lead to an attacker being able to write web executable files to the site. This is considered a high-risk vulnerability and recommended site owners update immediately.

See previous months’ WordPress security updates from March and February.